This month’s fraud briefing highlights the most recent fraud trends and what companies are doing to prevent becoming a statistic. Watch the video or read the transcript for a lively discussion on these issues and tangible takeaways to enhance the security within your business and personal lives.
Full webinar transcript:
Good morning, everyone. This is Tom with CertifID and I’m glad you could join this month’s monthly fraud briefing that we have record attendance again this month. I’m just glad you’re taking time out of your day. As far as housekeeping issues, this month we’re intending to have more interaction and I’m actually getting to some questions that we’ve queued up over the last couple months that we haven’t been able to respond to, but I do wanna open this up because we’re gonna be talking about some very recent fraud trends that we’ve picked up in the marketplace that all of you attending need to be aware of. So I’ll do my best to unpack and dissect those for you.
If you do have a question, go into the GoToMeeting bar. Brent, is that in the comments? Questions panel. There’s a questions panel there. I’m not talking to myself; my IT manager Brent’s on the other side of the room here. But if you wanna key those in, we’ll actually queue those up in a monitor I can see in real time and I’ll answer those at the end. Let’s get started. Everyone will receive a copy of the recording today following the presentation. I think we send that just a couple hours after we finish. I plan on finishing right at 11:45 eastern, 45 minutes from now.
For those of you that I haven’t had the privilege to meet, my name is Tom. I’m the Co-Founder and CEO of CertifID. I’m a licensed attorney in the state of Michigan and also one of the co-founders of Sun Title, a large title agency here in Michigan. Through our title experience, we’ve had a wire fraud incident in our organization dating back to 2015. We have spent time trying to recover funds through civil litigation, and I was ultimately called to testify for the Department of Justice against a cyber syndicate last fall in a criminal trial. We come to these fraud briefings, with the intention of providing not only information that we gleaned over the last 30 days, but also some practical tips, strategies, that you can take back not only to your organization, but I would say, as important now to the rest of the ecosystem, your referral partners and your trusted advisors that you’re working with on a regular basis. Today’s topics, we’re gonna start with some updated stats and trends around the issue of wire fraud. Just know that I will be pivoting all of the conversations going forward to much more solution-based. I know we know the problem’s huge. It continues to grow. I don’t think we need to grind that really any further, but I do want to make sure that people are aware that it’s something that still has to stay top of mind as we move forward. Some of the more recent stats that we’ve picked up, and unfortunately we just took another huge blow last year, wire fraud increasing 300% between 2017 and 2018. We’ll get into more granular reasons why and the strategies they’re using.
Business e-mail compromise… So business e-mail compromise is a type of cyber crime that has been identified specifically by the FBI as a crime that focuses on the diversion of some sort of a payment. It could be a wire payment, it could be an ACH payment, electronically. That’s what business e-mail compromise is, and it’s simply the fastest-growing cyber crime that they’re tracking right now. Higher level, we actually received 90 billion… Or the FBI did. The FBI received $90 billion worth of attempted reporting of wire fraud from the period of June of ’16 through December of 2018. Remember that only 10 to 15% of what’s taking place is actually reported, so you’re talking about quickly a very very large issue around the country. Buyers continue to be targets of scams, and we are seeing, you’ll hear about this in just a couple seconds, next-level scams again towards buyers in timing and sophistication. The courts are also, there’s still a lot of litigation in the space where companies are just trying to pivot around liability should a wire get diverted and funds be lost. Just be mindful that it’s an unsettled landscape, and if you’re struggling with getting your head around it, it’s hard. I do, sometimes, as well, because things continue to evolve and change in almost real time. Some things you need to know. This is one of the most alarming fraud trends that we have seen develop over the last 60 days, and that’s the timing at which they’re communicating with buyers in a real estate transaction.
We’re seeing instances now where they are being communicated… The fraudster is communicating with a buyer within the first two or three or four days of the buy-sell being signed, and then putting in front of the buyer fraudulent wiring instructions that appear like they’re coming from the title company that may be involved in the transaction. Here’s a news article. Here’s how I think they’re doing it. I’ve gotten enough information to kind of triangulate what I think the fraud strategy is. This is coming from multiple parts of the country. If a real estate agent’s e-mail is compromised, the fraudster would have this ability to the signed agreements that are coming in and the daily activity of the real estate agent, particularly early in the week. You show a lot on the weekends and then you have these Monday and Tuesday, Wednesday cycles where you’re processing and uploading things to the MLS.
Regardless of what the timing is, I believe they’re focusing on two types of profiles of purchase agreements. One, where a large earnest money deposit is stated in the purchase agreement. So if I’m getting any type of electronic file, a pdf or a DocuSign or a Dropbox, or Dotloop, it doesn’t matter, right? I can open that, as a fraudster, if I have access to the account, and now I believe they’re looking for contracts with large EMD, number one, or those where cash is listed as the payment mechanism. There’s no mortgage contingency. In a lot of our markets, like in our market, we have like a month of inventory, so we have no inventory. Cash is king. You wanna make the most competitive offer, and I think they know that, because the instances that we’ve heard of around the country have been large sums of earnest money deposit and true cash sales where the buyer has wired funds within the first seven days. One of them involved, and this was a really great trick on the part of the fraudster. Think about this: I’m a buyer and I get an e-mail and I just signed the purchase agreement, and an e-mail comes from what looks to be the title company saying, “Hey, congratulations “on the purchase of” insert address, because they have the address, the fraudster does. “And we’re looking forward to working “with you on the closing. “Just to let you know, pursuant to “Michigan law statute” whatever that they make up, “we need to have funds in our escrow account “30 days before closing or it may delay “or jeopardize the closing altogether. ”
Based on your contract expiration date of” x, which they have, “you need to initiate “and release these funds, or send this wire “within the next 48 hours.” So the believability that they’re threading into these e-mails to dupe people is just incredibly creative and it’s working. Just know right now that, and I know it’s hard because we’ll get a file open, at least for the title industry participants on the phone. We get a file open, a lot of times we don’t know who the buyer is ’cause the agent didn’t send it over, or we get on a bar napkin, you can barely read the address and they want you to get started with the search, and all the information’s supposed to follow during curative. But we can’t do that anymore, because we have to run under the assumption that they could be, the minute the buy-sell is activated or executed, the buyer’s a target, and we have an obligation to get to them as soon as possible with a proper notice. I’m gonna get to that as one of the strategies. But know that week one right now is starting to heat up as a scam. Another is just enticements or inducements that they’re putting into folks that are closing. Here’s an example coming out of L.A. Where a Camp Fire survivor, so this was the large fires out west. You’re gonna hear more about this. We’re workin’ on something cool with this family, but you’re gonna hear more from us about this story, but basically the fraudster comes in and says, “Hey, I can save you some money “on your closing fee if you would “just wire the funds earlier.”
They’re providing some incentive, more of a carrot than a stick if you will, than we’ve seen in the past. They get people to move the funds earlier, and to them, “Hey, I got it in the bank account. “Who cares if I wire it this week or next week? “If I can save a few hundred dollars “and it makes your life easy, no problem.” That’s what happened there. The other is whaling scams, and I’m gonna show you an example of one of these. In a whaling scam, we talked about this I believe in the February briefing, is where they’re impersonating a senior executive or somebody in more of an authoritative role in the organization and they’re trying to get someone else to do something within the organization that relates to a money transfer or gift cards or something that ultimately would be non-recoverable. Here’s a Better Business Bureau alert that was put out. It doesn’t have to be just our consumers are being defrauded or my disbursement team is being targeted. There’s a lot of internal activity that takes place. I’ve mentioned before that, guys, these folks, these cyber syndicates, from everything that we’ve learned, are industry agnostic, are personality, they’re even payment agnostic.
If they can grab value, monetary value from anyone, they will do that by any means. This is just another example. Some of the trends that we’re seeing, I would say that phishing continues to be the biggest issue. They’re using next-level strategies now for phishing with artificial intelligence and machine learning, but there are things that we can do, and we’re gonna talk about that. Phishing is absolutely the number one. For those of you that aren’t familiar with the term, quickly, think of it as I’m trolling around as a cyber fraudster, I’m profiling people, and I’m putting out these little phishing lures that are designed to do one of a few things: either gain some more personal information from somebody, maybe account credentials, maybe login credentials of an e-mail or some type of account, but I’m trying to pull a little more, I’m trying to curate a profile or sensitive information from an individual.
The way that I do that is I come in typically, I’m impersonating or spoofing a trusted resource or a trusted brand. And a vast majority of all cyber crime, especially where a payment is being exchanged, can relate back to somebody clicking on a phishing lure and having been successfully phished by the fraudster. The statistics are staggering in this area, so just know that phishing is not an if but more of a when scenario. A recent report showed that just in the last 12 months, and these stats are growing almost exponentially now, everyone’s experiencing it. Whether or not you recognize it, there are phishing e-mails that are coming into the ecosystem. Not everything can be blocked. 54% of the organizations polled, this was Proofpoint’s a prominent company that tracks this data, said that they saw an increase. They’re trying to gain access, so what are they looking for? Most of them, almost a majority of them, are looking to sensitive login credentials, okay? There’s other scams for phishing, but that’s the one that concerns us, because as we discussed in the past, this idea that if somebody’s phished and e-mail is compromised, if we have five or six or seven people in a real estate transaction and one of them is compromised, then the entire network is exposed, potentially. We don’t know who they’re gonna target.
They’re targeting me, my disbursement team, when I wire the net proceeds of the seller to a fraudulent account, are they gonna target the buyer with cash to close? Are they gonna target the lender? We’ve had instances, many many instances this year so far, where lenders have wired to what they think is the title company involved in the transaction, but that title company has been spoofed and those new loan proceeds get diverted to a nefarious account. Good news, awareness is on the rise as well. Education like this and other outlets and content that you’re consuming. This is encouraging that we’re more aware, we’re more alert, we’re more kind of schizophrenic. We’re kinda working with one eye wide open to see that we’re viewing before we just click and we think and to the leaders and the organizational managers on the webinar today, thank you for giving this space and the training and the time for employees that they need to process this information.
I’ll show you some graphs of when they attack most recently, or more frequently, ’cause they know our stress points and they know our transaction cycle throughout the month, Tuesdays and Thursdays being the highest instances when fraudulent and trick phishing e-mails come into inboxes of title companies. The Tuesday stress and the Thursday-Friday pre-closing stress. There’s been a average reduction if you will on susceptibility, so more awareness. We’re measuring susceptibility, which is great. That’s still a little bit low but it’s climbing. And a reduction of susceptibility. That’s all good trends, and hopefully you’re seeing that in your organization. Business e-mail compromise. So business e-mail compromise again is that focal point, that specific fraud profile that’s hitting our industry. The figures always lag ’cause the FBI spends time, they don’t release their report until typically April or May, so we’ll get the ’19 report after the first quarter of next year. Last year’s figures, 43% was almost half, right? Nearly half of all claims coming into the IC3 were related to business e-mail compromise. This is a staggering number.
Most companies saw an increase in attack vectors and 73% saw a direct loss after an attack. Maybe not a total loss, I think we’re also getting better on recovery and responsiveness. The FBI and the Secret Service and the swift recall, the banks are more engaged in this. But a lot of times, there’s either a total or a small loss ’cause they’re moving the money so quickly. For those of you that love graphs and charts, you can see that just between ’17 and ’18, we more than doubled the loss vector, or nearly doubled. But the complaints weren’t trending on that same line, and what I’m saying is, they’re averaging more per fraud. That’s what this is showing. While the instances are higher, move from roughly, what is it, 15 to 20, we nearly doubled in the amount that was taken. I think that’s because they’re trying to profile the higher-value transactions or targets. New strategies to be aware of.
They’re more targeted in e-mails and the domains that they’re spoofing. One action item that I don’t have at the end but you should do is go onto GoDaddy or wherever you register your domains and think about any variation or truncation that you could use around your main domain. If you have an l for title, make sure you’re registering and swapping that out for a number one. Use underscores, I don’t know, Brent. Hundreds of domains we have registered. Literally hundreds of domains we have registered on our properties, either for the title company or for CertifID. They’re inexpensive and you can’t think of all of them, these guys are really creative, but you could think of some of the softball, the ones that would be harder to detect, if you will. But they’re spoofing companies at a more strategic, and I would say, successful level, because they’re willing to do the work and put in that domain research. They’re also shifting to what’s called the many-to-many approach, and this is what is really concerning. When you have more people on a string in an e-mail, by definition we would interpret that as more of a credentialed e-mail. Rather than just spoofing maybe one person in the organization or two people, they’re gonna add additional players and spoof all of those identities.
When that e-mail that they’re trying to strike with comes to the target, they can see, “Oh, well I got Tom on there, “and I got Brent on there, and I got Sally on there, “and I got Joe on there. “Okay, yeah, this has to be legitimate.” This isn’t coming from email@example.com but that’s exactly what they’re doing. That credibility layers in. You have to do a little bit more work in identifying that. This was a fun one. This came in last Monday. We had a whaling example as we were starting off last Monday right into CertifID. I’m gonna give you the raw feed just to give you an example of internally how these things can play out. We’ll have some fun with this. It looks like it’s coming from me. Bill Hook is our head of support at CertifID. We’re not targets, not any more than any other business is, so our number just got drawn and here we go. Let’s try to get some stuff out of this company called CertifID. The e-mail starts, “Are you available? “I need you to personally run a task for me ASAP. “I will be caught up in meetings all day “and my phone will be off. “Just reply by e-mail. “Let me know if you can get this done right now.” One thing you have to realize that you can quickly identify a spoofing or a phishing e-mail… This is whaling, and whaling is because I’m the CEO of CertifID and this is going to one of the employees. Three components: one, some new thing is being introduced into the stream of conversation. It could be a new request, it could be a new set of wiring instructions, it could be whatever happens. There’s something new.
Something is time-bound, right? You need to do something, you need to take action on something that I’m directing you to do. Third is typically something bad happens if you don’t take action. So, new, it’s time-bound, and there’s some ramification in a negative way. To pick apart this initial e-mail, I can do it quickly. Capital A for available. This is, would he use that language? “I need you to personally run a task for me ASAP.” Personally and me, you’re saying the same thing. That may seem like a nuance, but the sentence structure doesn’t necessarily make sense. “I’ll be caught up in meetings all day.” That’s typical. Capital A for and. “My phone’ll be off, just reply by e-mail.” If my phone’s off, then I’m being put in a box somewhere. He would know that, right? And then, e-mail with a capital E. You could just quickly look at this and say, “All right, this doesn’t make sense.” And then “best” and “regards.” That doesn’t make sense either. I sign every signature a different way and he would know that. So, he said, “Hey, I need a couple of gift cards.” Next, he comes in just a few minutes later. “I need some gift cards. “There are some listed clients. “We are presenting gift cards. “How quickly can you arrange these gift cards “because I need to send them out in less than 25 minutes. “I’ll provide you with the type of gift card “and amount of each.
“If you can’t get this done, I need you “to copy who can get this done quickly when responding.” Now it’s being sent from some iPad. Bill and I start to screw with this guy, frankly. The next set of communications are us phishing him back to see how much he knows. We respond, “Of course! “What do you need?” We wanna be a very cooperative victim for this guy. He comes back and says, “the type of gift card I need is “hotels.com or Steam at $500 each and I need six of them. “You might not be able to get them all at one store. “You can go to different stores. “When you get the cards, scratch the back “to reveal the card codes and e-mail me the code. “How soon can you get this done? “It’s urgent. “Note that you will e-mail me the card, not text me the card.” That’s interesting, ’cause this guy’s likely sitting overseas somewhere, okay? We respond back, “This sounds like a great idea. “You know how much we love our “customers and appreciate them.”
Do you have a list of clients we will send to? “I can prepare the cards for you in advance. “Hope your meetings are going well so far this morning.” What I wanted to know is do you know who our customers are, or is this simply a blind expedition? So I come back, now “Hello, Bill.” Getting a little formal. “I have the clients and e-mail details. “You” misspell there, “get the funds from account or use “the funds and I will reimburse you back.” Lowercase I, big tip-off there, lowercase I. Lowercase I again, “am still in the business meeting “and I need to CON-SEN-CRATE.” Okay, Siri isn’t the brightest bulb in the technology world, but I would have corrected that if I was dictating it. But if I’m in a meeting, I’m probably not dictating it. “Once you purchase the gift cards, “scratch off the back code, take a picture of the back, “and attach them to me via e-mail only.” Okay, we respond, “Wow, that’s quite a bit “larger than our standard practice. “Is your idea to write the redemption code “in the personal note you send each client?” ‘Cause that’s what we’ll do, we’ll write a handwritten note. “Can you give me a list of those clients “you’re thinking about so I can let “accounting know how to allocate?” Again, just trying to pull out from this guy, this joker, how much you know.
And then, where we end with is… I’m missing one e-mail here and I apologize, but he ultimately gets frustrated, and that’s where they typically drop off the line. The last e-mail that we had sent basically said, “Hey, I’m in a hot yoga class “and I’m trying to burn off some steam this morning. “When I get back I’ll try to go to Walgreen’s “and get something,” and then the fraudster gets frustrated. I wanted to give you that live feed because you have to see that that’s how it can kinda come into an organization and whenever we get ’em, it’s kinda fun if you can get your IT folks involved and there’s no danger of just keeping them on the line to figure out how much they know. I find it interesting. Social engineering attacks. Again, spoofing and impersonating e-mails just like you saw that they’re engineering and they’re using these transaction level details to put in front of individuals information that looks like it’s coming from a credentialed source. They’re becoming very hard to detect because of the level of information that’s just publicly available now on all of us. The idea of being able to go out and curate a profile on somebody, either through social media or through business properties or websites, just be careful on the amount of information that you’re sharing because all of that if you think about it can be used to curate that profile on you if you’re being impersonated. 25% of data breaches were actually caused by social engineering. 85% of organizations experienced some sort of an impersonation attack and 2/3 saw an increase, so again, this is on the rise. The reason why is that people are the weakest link. As much as we train and we create awareness and our policies are meant to really hold that line of defense, it is hard on a busy Tuesday or a Thursday or Friday when somebody calls in sick or we don’t have the numbers to work up and get released in time, or whatever it happens to be.
An improved last line of defense, end users, what’s nice again on the positive side is we’re seeing and we’re reporting more, and that’s good. That’s what we need to continue to have is the proper training and the proper awareness. One of the things that I’m most concerned about for the industry, and this has come out in the last month or so, and I’ll show you an example, is ransomware and data breaches. I think the industry has benefited from, and I’ve mentioned the term “security through obscurity.” Like, they didn’t know what we did. They didn’t know that we were moving all this money through the escrow accounts. Well, now they do, so we’re feeling that pain. They’re starting to get a glimpse now into the type of personally identifiable information, otherwise known as PII, that we’re required to take in from either financial regulations or the Patriot Act or RESPA or whatever it happens to be. We gather and store a tremendous amount of information both from state law requirements or from our underwriters or from our regulators.
And ransomware is a type of fraud where they’ll infiltrate your system, your computer network, with a sort of virus that locks you out of critical programs unless you pay a ransom, literally. Like, “Hey, if you pay me so much in bitcoin,” or in some currency, it could be U.S. or some other fiat currency, “then I will unlock the program.” What’s amazing is even though they’re thugs and they’re thieves, they will do it because they don’t want a reputation that, “Even though I’m picking your pocket, “ultimately I’m gonna make good on “the benefit of this illegal contract “that I’m setting up under duress.” And they’re skyrocketing. They’re absolutely skyrocketing right now. 105% growth just in the first quarter of this year on ransomware. The average demand is approaching a quarter million dollars and that’s the average ransom demand growth. They’re stepping up their ask and they’re stepping up the velocity of the crimes themselves. Many of you heard about this. If you didn’t, I invite you to google or in any search engine you use, city of Baltimore ransomware and just start reading some articles or a couple blogs about what happened to this city.
City computers were affected, and it affected the ability to provide not only access to public records and that, but also essential services. You can’t have a municipality down. The ransom was $17,600 per station to unlock, and they’re estimating that the total cost, not just the ransomware cost, it was much lower, but the total impact cost is gonna be estimated somewhere in the $18 million range. That took place just earlier this year. We’ll talk about some things to do there, but if you don’t have a security team… I think in regards to this, you have to look at how secure the perimeter of your system is, your network. That deals with the hardware and the firewalls and the things that you put in place. How devices are being connected. But then, the type of data that you store and why are you storing that data and how are you storing that data? And if there’s a way to segregate more legacy data that, for underwriters, I believe it’s six or seven years you have to have a file that you can recall and provide them if there’s a claim or something like that. Because the owner’s policy technically goes on forever.
But do you have to have it in one server or can it be segregated or air gapped into a completely different area that is invisible? So if you think about it, the most safe computer is the one that’s unplugged that’s put in the closet, right? Can’t get access to it. But looking more clinically with your security and your data teams about the types of information that’s being stored. The other thing is, the number one defense to ransomware is regular and complete backups. Because if you have a backup and it’s fully imaged your system, you can tell the guy, just say, “You know what? “Go pound sand. “I’m gonna spool up all my data “that I regularly back up on another server “and I’ll be up and running.” Many companies have avoided that ransomware being hostage and having to make the payment because they have regular and systematic backups. But you gotta test that. Is it a backup lite, or is it a full backup, right? I think you have to make sure you’re doing that. That’s the best line of defense for ransomware. Impact on title companies, and I know we have many industries on the phone, but there are parallels to what I’m gonna describe here. Fraudsters are gaining access to, I’m not just gonna pick on realtors. It’s realtors, it’s lenders, it’s law firms, it’s us. It depends on the attack vector, but they are gaining access to somebody, and once they have access, that’s when the compromise takes place. You monitor, you obtain transaction level information, and once they obtain the transaction level information, I think that’s a downhill run for them. Because so many people, especially first-time home-buyers are going through this process, obviously, for the first time, and they don’t know truth from fiction. We can see it coming a mile away. We just dissected that e-mail of what we can see as far as tells in an e-mail, but they’re just trying to close on their house and they’re trying to get out of their parents’ basement and move onto their first starter home or whatever it happens to be. Just know that the social engineering is next-level.
They’re more strategic and focused here. They’re more patient here. They’re listening longer and more intently before they strike. They may pass over a few transactions that they could infiltrate to make sure that they really have down the cadence and the nuances of the people and how they communicate and who they communicate with. 75% of title agents do not conduct phishing tests. This was a staggering result that I thought. I thought it would be much lower. What a phishing test is is the ability to conduct a training exercise, a drill if you will, to see how susceptible your people may be to clicking on a link that’s a phishing link rather than an actual legitimate link. The recent study by the American Land Title Association said that only, and I responded to this as a large agent myself, “Do you conduct regular phishing tests?” And only 11% said yeah, on a monthly basis. Six said maybe annually. I can tell you, at least quarterly should be a practice because one sense, it could be a phishing lure that’s company-related. Maybe it’s a fake invoice, or it’s a link about, “Hey, I’m gonna “deactivate your account,” or whatever it happens to be. But the other could be more social. It could be something coming through Facebook. It could be something about a company party or a charity or something that has a little softer side to it, but it’s still targeting that individual.
A lot of times, and this is where you have to really huddle with your insurance providers, right now. I’m not claiming to be an insurance expert in E&O or cyber insurance, so there’s my disclaimer. But what I do know, ’cause I’ve gone through the renewal process recently, is this is in a state of flux. It’s not fluxing our way as insured. It’s fluxing because the insurers are really hemorrhaging right now from business e-mail compromise and wire fraud and data breach losses. The actuaries were thinking in their, whatever balance on these balls are coming up, these numbers that equate to risk and premium, and they missed the mark. They missed it huge. So if you notice, you’re looking at more exclusions, more sub-limits for these coverages, and they’re pivoting E&O, they’re pivoting all cyber-related losses typically over to, rather than E&O, having it covered under some cyber policy. You just have to get with your carrier and make sure that what you think is covered is covered. Say it in very plain lang… Use examples, and I would get that in writing if you can with them. “Let me get this straight: if I’m impersonated “and a buyer wires their life savings “to a fraudster, and I have a cyber crime, “and I’ve got cyber coverage and social engineering “and all that, and I got E&O, am I covered?” Question mark. And get something back to understand if there are vulnerabilities. You need to know that.
Real estate is one of the targeted, one of the top targets for all of these scams. The reason why, for those of you kinda new to this webinar series, real estate transactions are public in a sense that because they’re reported on a Multiple Listing Service and because Multiple Listing Services have syndication agreements of data with companies like Zillow and Realtor and Trulia and everywhere else, when a property is actively listed and it moves to a pending status, that’s where the fraudster doesn’t have to guess. “Look, Tom just put his house under contract. “I’m gonna go in and strike.” or “Tom has a listing. “He hasn’t put it under contract yet. “I’m just gonna monitor and see what this looks like.” Think about a situation where, to the tune of tens of thousands a day, if you were watching this feed, you could see active, going to pending, or active under contract statuses. They don’t have to guess. It’s not random in any way. They know they have on average… That’s the other thing, a long transaction cycle. What’s the average? Just under 40 days, right around 40 days? That’s a long transaction cycle to have visibility to the participants. And then just huge sums of cash, just so much money moving in real estate transactions. All right, action items. How can we help defend? Then we’ll get to questions.
The best line of defense, and I’m gonna talk to social engineering and I’m gonna talk to wire fraud, is education and awareness. But we have to put in the word “early” now. Early on education and awareness and engagement on the part of our employees, on the part of our customers, and we have to bring in our relational partners into this conversation. Because if they’re not in tune with the risks associated with wire fraud, and they get exposed, then no matter what we do, our risk level is elevated. Here’s a workflow on a normal residential transaction with a mortgage. You can see here where we have a series of steps involved, title and escrow related. Just know that there are a couple hotspots in the flow. The first is what I mentioned, when the transaction moves from an active to a pending status on the MLS.
That’s the deal board that lights up for the fraudster. The second, and the FBI term I think is a great one, the “kill zone,” and that’s closing schedules to final disbursement, that three to five day period where everything has to come in and everything has to safely be sent out of the escrow account. If the buyers are profiling and starting to communicate the first few days of a transaction and successfully diverting money call it by day seven, they’ve beat us to the punch by at least two full weeks. What I’m saying is, we’re typically not having the conversation about the transfer of funds until we’re close to the final CD or the final closing statement draft, and they know that, so they said, “Look, if they’re gonna believe me “on day 24, I’m gonna make ’em believe me on day four, or day six.” That way, when the buyer shows up, and we predicted this and unfortunately it was true, the Memorial Day Friday leading up to that weekend, there were a lot of buyers that showed up into closing rooms saying that they had wired funds earlier in that transaction cycle, and that was news to the closing agent in real time.
That’s just unacceptable. If you read the courts’ opinions and what our standard of care is as it continues to evolve, it’s rather simple but we have to have the discipline to execute it, and that’s early and comprehensive communication to the transaction participants. So the minute you identify who the buyer is, I would argue… Again, I can’t point to case precedent on this, but I can point to the other side, is if you don’t do it, there’s likely liability. Putting a proper and a timely notice in their hands that they can consume the information and have an awareness. And then a second, somewhere midstream. I call it a day one and a day 15 order. Why would you communicate with them the second time? Well, simple. You got a lot goin’ on.
This is like a fire hose for a lot of first-time home-buyers. You’ve got inspections, you’ve gotta find some insurance carrier, your lender’s asking for blood samples. Kidding, to the lenders on the call, but it’s just a lot going on. It’s stressful, so when cooler minds are prevailing, I think another refresh leading up to what ultimately is the transfer of, it could be cash to close by wire transfer. The challenge is you don’t know a lot of times whether or not they’re actually gonna wire funds until, what, a few days before closing? Sometimes they’re in the lobby and you learn, right? That’s crazy but it happens all the time. But that doesn’t matter. You have to put in front of them the notice that this is an issue and it’s their issue. They’re trying to steal the life savings of your customer. No different than breaking into the house and stealing the jewelry and stealing the safe and all that. It is the same; they’re just doing it electronically. For our customers, we provide these notices and then certified can be used to transmit the wiring information.
That’s the other thing. You gotta make sure you securely transmit the wiring information and you can prove they received it. So if their e-mail account has been hacked, you better be able to show if they lose their funds that you did everything you can to protect. It’s really trying to help mitigate these instances where the hotspots are more in a cautionary state. And I say that because ultimately, you’re not responsible for driving the buyer to the financial institution to wire the funds out of their account shoulder-to-shoulder, but what you do need to be able to demonstrate if they do lose their life savings ’cause they get a phone call on the way to the bank even though you sent the notices and you securely sent the wiring information, but they got tricked at the last minute. This is a reality, guys. I hate to say it, but you can’t fix all human behavior. But what you can do is say, “Look, while I can “empathize with that loss,” and I really can. I wanna make sure that for everyone on this call, that empathy doesn’t translate into legal liability when they’re named in a lawsuit and they’re being called to account for what they did or did not do that could have mitigated this loss or prevented it altogether. That’s the hook right now for people that are wiring funds into escrow accounts and you’re being asked to share your wiring instructions. On the flip-side, the disbursement side, you still have to provide the notices to the transaction participants, but you just have to be very sure that when you’re consuming this information on bank credentials that it can be trusted before you send the wire out. So that’s timing. I would say probably the most significant. People. I wanna give some tips on what can we do with our people. Train, train, train. The nuances, the fraud trends, we carve out and I think everyone should on their regular staff meetings or whatever, carve out seven to ten minutes and go through some fresh examples of what’s coming into the organization.
Don’t be ashamed just because you’re getting phished and you may have people knocking on the door that you wish would go away. You’re not targeted; you’re just doin’ deals. It’s part of the world we live in right now. I think creating a culture and bringing IT in as a trusted resource, because they have a tough job right now. We need to hug our IT folks. Brent, I’m not gonna do it on camera but virtual hug, buddy. They have a tough job right now because they have to secure the perimeter. They have to secure and make sure that the policies hold, even though some employee might’ve had kids throwing eggs at him in the morning or it was just a stressful getting ’em off to school, or now they’re on Christmas break. Shoot me, right? Or, I’m sorry, summer break. My morning this morning. But you have to create this trust and you have to create the idea that everyone is responsible for cyber security in the organization. This isn’t a them us. “IT’s got that handled. “Until I see something from IT, “I’m not gonna report anything or do…” No, it’s an all of us type responsibility now. This last one, you just have to do it. You gotta get a baseline of how susceptible your people are. Start phishin’ ’em. It’s a fun exercise. You can make it fun as you deliver the results. You can do it anonymously. It’s a great training tool and icebreaker for staff meetings and annual meetings. This should be done on a periodic basis. We have links where you can do it through, there’s a free google, there’s a free app, PCTEST, or there’s third parties that really specialize and get more granular. From a process standpoint… Now I’m gettin’ into questions. Multi-factor authentication, we talked about that. Two-factor authentication. We have to have those turned onto our accounts. Not only our company accounts, but also our personal accounts like Facebook and Instagram and LinkedIn and those places where they can infiltrate and start to manipulate information and gather user credentials. Role-based permissions.
So for those of you that sit at an admin or control level, can we more I would say, granulate or restrict the areas that if I had an escrow officer who was compromised and that fraudster had to tunnel in, could we restrict where else in the organization or the platform the fraudster would be able to go? You wanna start to create some road blocks or dead-end doorways, if you will. If they don’t need the permission or don’t need the access, you may want to look at more on a clinical level restricting that access. Anti-virus scan. Guys, software is updated for a reason. A lot of times, it’s updated because they found some little crack in the doorway where a fraudster was able to get in and then ultimately infiltrate a network. Anti-virus scans and regular updates are absolutely critical. VPNs, there’s several ways to configure these. One of the best ways is to do it tethering the VPN based on a machine to a machine, but virtual private networks are a great way to harden security, especially, a lot of us do, we’re accommodating multiple different offices and footprints with even remote offices and users.
The discovery and instant response plan. You gotta have somebody in place that is tasked with doing this work and if there is an incident, a security breach, there are reporting requirements in each state right now. That’s the other thing. Whether or not your state has passed it, many have. New York, South Carolina, Michigan recently. Significant data and breach response legislation now, codified as statute, on how and the ways that we need to store and respond to incidents. You just have to have a plan in place because if there is a big breach and you’re scrambling, I think the losses’ll be much greater than had if you put a plan in place. And if you don’t know somebody, you can e-mail me, or shoot me… I don’t get paid for these referrals but we’ve got some great people around the country that we’ve met over the last couple years that could come alongside and build that for you and put those processes and procedures in place. All right, questions. Oh, before I do, our future briefings… We’re taking July off because everyone on the call will probably be on vacation, which I don’t blame you. We’re gonna come back in August. We’re gonna go through court decisions on wire fraud losses. This one is gonna be a nail-biter from what I know already, but it’s information that you need to know. It’s really good for our referral partners that may have had, their heads may be in the sand so far that the tops are warm on this issue and that’s a whole session for another conversation.
But we’re gonna talk about court decisions. We’re gonna have an insurance expert in September come on and kinda dissect, give us the state of the union on what happened and what to expect on our next renewals and then we’re gonna go through and we’ll probably have someone from the FBI, based on conversations I’m having right now that can talk to us about some best practices and maybe trends that we’ll likely see going into next year as we do our planning and visioning. Question number one: will a link be presented today to distribute to the rest of my staff? Guys, you can distribute it to your staff, you can distribute it to any of your referral partners. This is meant to be content that is shared openly. I would say, and you probably agree, that a lot of people need to hear this type of and other similar content, so absolutely. Fraudsters are starting earlier but we oftentimes don’t have all the information. How do we educate them if we don’t know… This is a challenge. The idea is, “I don’t know who they are “so how could I possibly reach out?” Well, that isn’t good enough anymore. If we’re getting a request to start a loan or to open up a title file, or whatever it happens to be, you have to be able to get at least their name, their e-mail address, and a phone number associated with them. They’re not working with Casper the ghost. Somebody is on the other end of this communication that is engaged on this property and you need that at the time of file opening. Just let the folks know on the other end, your referral partners, that this helps both of us. We just need that. And you know what? Slow down and write legibly. Some of these purchase agreements, it’s just very hard to distinguish who in the world’s on the other end. But we just have to draw a line in the sand, because if not, that is a ticking clock right now, especially that first week in the transaction where the buyer could get compromised. “As you mentioned, fraudsters gained access “to an agent’s account. “I can’t prevent that from happening.
“How do I protect myself and others, “other parties’ e-mails from being tampered with?” Again, if you could go out, one of the things that I would strongly recommend, is do a lunch and learn to your key real estate partners and talk to ’em about the value of two-factor authentication and using strong passwords. A lot of agents, while they may be at one national brand that has a lot of cyber security if you’re using their domain, a lot of them are using like teamtom@gmail because I want the portability of my brand if I switch programs. Drives us crazy. But you can still do that and layer in at least some of those security protocols through complex passwords and two-factor authentication. You’d be doing them a service. It would be a really, most impactful 30 minutes you could make on securing e-mail accounts would be those two things. “At some point our customers must assume some liability. “How can I know when I’ve done enough?” I don’t know when you’ve done enough because we don’t have decisions yet. This isn’t state law. All the stuff is evolving in the state and federal courts in real time. The other challenge is 98% of cases settle. It’s just not worth the cost of going the distance. You know that in real property. Very few decisions versus disputes that actually take place. But I know we do have a glimpse into where liability is rendered, and if you read those opinions, it’s very clear. It’s what I describe as a see something say something requirement.
The American Land Title Association, the National Association of Realtors, the Mortgage Bankers Association, the American Bar Association. All of these trade associations that we subscribe to and look at for guidance have put out guidance. And then you get down to the state level and they’ve all put out guidance. But if that isn’t properly communicated in a timely way to the consumer that’s ultimately harmed, that’s where their responsibility starts to pivot to your liability, and that’s what we need to prevent. So I call it a layered approach, exhibits, if you will. You have to be building exhibits in your file of instances, where through communication and touchpoints and acknowledgements, you have educated and gotten basically them to acknowledge that this is an issue, I’ve got your wiring instructions, and I’m gonna follow them. And if ultimately, they don’t, you get named, which look, for 300 bucks and a laser printer, you can get named on a lawsuit, you’re not gonna prevent that, how quickly can you get out of that conversation before it starts to get really expensive in discovery and trial prep? “What types of training can I do to help my employees “at spotting phishing or spoofed e-mails?”
You could go online. I mean, there’s a lot of different articles on this, but I would say the best examples are ones that are coming into your organization. If you’re using a e-mail monitoring and security tool like Mimecast for example, pulling some of those e-mails and reports that got flagged in their net and using them as examples. The phishing is a great example. If you did a phishing test and then you could show exactly the hit rate and what people responded to and how much information they were giving up, I think that’s a good way to do it. Again, if you don’t have an IT department, then just connect with a security and an expert in this area. It’s well worth the investment. “Your gift card example, can we report “those e-mail addresses? “Is there any way to catch that fraudster?” What I learned during the trial experience is the FBI, the federal authorities, they’re fantastic people. They work their guts out to help us in the industry. I learned that more than anything else. I had high respect. I mean, my respect is through the roof for these guys, now, but they’re overwhelmed. The bar is really high for them to even be able to take on a case to prosecute. With that said, it’s still worth reporting because you could be reporting something let’s say in Michigan that connects a dot. That’s what we did.
We connected a dot in Michigan and New York and Texas that ultimately connected a dot to western Nigeria. You never know where those dots get connected and how long. It took two years, but ultimately it got connected. Whether or not they’ll be caught, I don’t know. It’s kinda like whack-a-mole right now. You whack one down and another one pops up because this is a low-tech, very high-impact type crime that they’re facilitating. But I think we still have to help our friends in the enforcement arena to do the work. “I’m a small company who can’t afford dedicated IT staff. “What can I do?” Another good question. Just online, a lot of people’ll do it on a flat monthly rate. They’ll come in and they’ll help create a security plan, and look, you’re not gonna do it all overnight. That’s the other thing. Don’t lose sleep over the fact… “Yeah, but I gotta do this hardware “and software and people and process “and all of this stuff that’s gotta get done, “there’s like a million different things.”
No, there’s two or three things in each category that would provide tremendous lift that you could get done probably in a matter of 60 to 90 days that would put you on a totally different trajectory from a client and a security standpoint. Like I say, if you want a referral, send me a link. Or LinkedIn me. If you guys aren’t following me on LinkedIn, we’re constantly posting videos and updates on that. I’d be happy to connect you with somebody. “How do we communicate to customers “that there may be a few extra steps “in the closing process because of “the need for greater security measures?” That’s really good. That’s just, the world has changed, and I mean, if they google “wire fraud real estate,” they could absorb some content themselves. But I think that’s a really good question, is just because it may be a little more friction or, “I just closed on a property, “I didn’t have to do that last year.
“What’s all this business? “You’re making this hard.” I’m not making it hard; I’m making it safe. I’m making it safe. So no different than if you got a neighborhood under attack with break-ins and everything else, people put cameras up, right? People would have an officer patrolling. That’s what you’re doing. But I would say that the people that do the work in this area stand to gain immensely because you can turn cyber security and the things that you’re doing in this regard to protect your customers and your referral partners into a business development opportunity. I think it’s as important, from what I’ve seen, as a proper and timely title commitment with all the requirements and a closing statement that has all the fees and balances before closing disbursement. It’s just another category we have to take on.
“Once our system flips the responsibility “of verifying wiring instructions to the “buyer or seller, the title company sends multiple notices “asking the buyer or seller to call. “The title company ought to verify that in reverse.” So the callback procedure, the issue of right now, our best practice is the phone. I don’t argue with phone, I don’t argue with secured e-mail, it’s just there are examples that are using SpoofCard and they’re using some other technologies where they’re impersonating phone numbers to make it look like you’re calling somebody that ultimately might be a fraudster on the other end. You just have to be careful.
You gotta triangulate that information a little more carefully before you do that. Yeah, if you have a phone center and you’re just calling people outbound and verifying, great. If you’re interested, I’d love to talk to you about what we’re doing as we automate that process, and we guarantee each wire up to $1 million. Anyway guys, great questions. I hope you found this useful. Have a great July, so we’ll take July off and we’ll be back at this in full steam in August with those court cases. Until then, take care.